Skip to content

feat: enforce logging content rule and add LOG_PAYLOADS switch #436#459

Open
ypldan wants to merge 2 commits into
developmentfrom
feat/436-log-content-rule-and-payload-switch
Open

feat: enforce logging content rule and add LOG_PAYLOADS switch #436#459
ypldan wants to merge 2 commits into
developmentfrom
feat/436-log-content-rule-and-payload-switch

Conversation

@ypldan

@ypldan ypldan commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Applicable issues

Description of changes

Enabling DEBUG in a live environment shouldn't leak conversation content. This implements the
content rule from the approved design (#434), on top of the #435 lifecycle skeleton: logs carry
structure, never payload
.

  • Content rule (all levels). Payload dumps across the agent loop and toolsets become structure
    summaries (counts, roles, names, ids, sizes, header names, sanitized URLs); the payload itself
    goes through payload_logging.log_payload.
  • LOG_PAYLOADS switch (off by default, truncated when on) re-enables payload records for local
    debugging; it also caps openai/httpx/httpcore at INFO, so raising a log level alone never
    reveals content. Header values are never logged.
  • Tool-error exceptions render structurally in logs while keeping the body on error_message for
    the LLM (feat: expose MCP and HTTP Tool Errors to the LLM #408), the user-facing resolver, and fallback matching.

Docs updated (README, CODESTYLE §9, docs/agent.md, CLAUDE.md); design doc marked Implemented.

Checklist

  • Title of the pull request follows Conventional Commits specification
  • Design documented is updated/created and approved by the team (implements approved design Design: log levels & content policy #434)
  • Documentation is updated/created (README, CODESTYLE §9, docs/agent.md, CLAUDE.md)
  • Changes are tested on review environment
  • [ ] App schema changes are backward compatible, or breaking changes are documented with a migration guide (no schema/manifest-model change; the new env vars are additive and off by default)
  • Integration tests pass

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

DEBUG is routinely enabled in live environments during incidents, and today
that floods aggregated logs with conversation content (chat-completion payloads
incl. forwarded header values, message context, tool-call arguments, tool/LLM
response bodies, unfiltered signed URLs) — a privacy/compliance hazard made
worse by OTLP export (#433) and the upcoming JSON mode (#438). Implements part 2
of the approved design (#434) on top of the #435 lifecycle skeleton.

- Content rule at every level: payload-dumping logs across the agent loop and
  toolsets now emit a structure summary + route the payload through the new
  common.payload_logging.log_payload (a no-op unless LOG_PAYLOADS=true).
- LOG_PAYLOADS / LOG_PAYLOADS_MAX_LENGTH (off by default, truncated when on);
  forwarded header values are never logged even with the switch on.
- LoggingConfig caps openai/httpx/httpcore at INFO unless LOG_PAYLOADS=true.
- sanitize_url_for_log strips URLs to scheme/host/path at every log/exception site.
- ToolErrorException/MCPToolErrorException string form is structural (no body);
  the body stays on error_message for #408 LLM forwarding, the user-facing
  resolver, and fallback trigger_on matching (now matched on error_message).
- Docs: README, CODESTYLE §9, docs/agent.md, CLAUDE.md.
@ypldan ypldan self-assigned this Jul 17, 2026
The design gated #435 (merged) and #436 (this PR); #436 completes it, so flip
the status to Implemented and record both delivering issues.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Prefer structure over payload content in logs

1 participant